A firestorm of anger has erupted in the advertising industry against the decision of Microsoft to incorporate a Do-Not-Track turned on as default system in the forthcoming edition of its Internet Explorer (IE) browswer. The online ad lobby--including the self-regulatory group called the Digital Advertising Alliance (DAA)--is fearful of having better privacy as the default. They know that defaults matter, and that from the get-go the millions of IE users may be sending a powerful message as they go online or use their mobile devices: don't track me and conduct the kind of spooky surveillance of my habits and behaviors that is the industry norm.
Privacy advocates have been put in a difficult position as we try to negotiate with Google, Yahoo, Adobe, and various members of the DAA over the terms of what Do Not Track should be. Several groups, including my own CDD, are part of the Worldwide Web Consortium's (W3C) initiative to create a "specification" for Do-Not-Track--the Tracking Protection Group, as its called. In pursuit of a compromise that would protect online citizens and consumers from some data collection practices involving third party data tracking, we have been willing to make several compromises. CDD has been supporting the collective privacy and consumer group coalition within the W3C to get an agreement that would prevent the collection and retention of such third party data. That would help eliminate a significant amount of commercial surveillance, potentially, and serve as an important civil liberties safeguard. The other groups working on this include the Electronic Frontier Foundation, Mozilla, Consumer Watchdog and also involves privacy advocate and tech expert Jonathan Mayer.
In order to get some meaningful limits on collection--so Do Not Track would mean Do Not Collect--we have been willing to compromise with the industry representatives on the W3C. Industry groups--including Microsoft--don't want First parties covered by Do Not Track (which should be covered, but because the FTC has been wishy washy on this point, our advocacy community didn't have much leverage), Industry also hated the idea of DNT being the default arguing, not unreasonably, that having DNT start off in "neutral"--neither on nor off--would enable a user to make a decision. The EU signaled it favored this concept, as a way of helping determine a users intent (which would help it comply with the much stronger EU privacy regime). Mozilla also favored such an approach. In my view the real reason industry doesn't want no tracking to be the default is that their real goal is to have a weak Do Not Track system. They don't want users to really know about it, use it, and have it well-defined, so they can keep up tracking, profiling and targeting as usual. They want their purposefully weak icon program to continue to undermine a user making a meaningful privacy decision.
Microsoft has been part of the W3C negotiations and should have known before it announced its defaut plan that the decision to not approve such a system had basically been decided. They also failed to support a stronger definition for DNT in the IE announcement so it would mean Do Not Collect. Consequently, the new IE plan upset the moves towards some sort of deal, and also didn't give advocates the stronger policy on collection we seek.
But the claims of outrage coming from industry groups, and the effort within the W3C now to have the specification reject any DNT requests which may come from the millions of potential IE users who like or use the default, shines a light on the DAA's motivations. They dont want real privacy by design; they don't want privacy as the default; they want to use their political power to continue the status quo that threatens our privacy and can place consumers at risk (think about your financial, health information, for example).
CDD supported the compromise that the W3C standard would not have DNT as a default. We see our role as helping EFF and the others try and make some progress. But the day of data reckoning is here. In two weeks the W3C groups meets in Seattle, ironically at Microsoft, that will help settle the fate of DNT. If the industry refuses--as is likely--to agree to the privacy and consumer proposal to limit collection and retention, DNT will founder and be nothing more than empty words.
But Microsoft actually deserves praise for what it done. The industry groups and ad companies criticizing it should be labled for what they are: afraid of empowering citizens and consumers to stop the collection and use of their information across platforms and services. The default should be privacy is on from the start. Online marketers created a vast data collection system over the last 15 years that few consumers know about or can control. It's time we even up the odds for the public.